zouppen · April 17, 2024 21:52 · Nov 10, 2022 · Nov 10, 2022 · Nov 10, 2022 · Nov 10, 2022
diff --git a/README.md b/README.md
@@ -50,4 +50,8 @@ addition to public Internet.
 
 ## Author
 
-Joel Lehtonen. [Feel free to support me on Github](https://github.com/sponsors/zouppen).
+Joel Lehtonen. [Feel free to support me on
+Github](https://github.com/sponsors/zouppen).
+
+Some ideas are borrowed from [jkullick's
+gist](https://gist.github.com/jkullick/62695266273608a968d0d7d03a2c4185), thanks!
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
 # Block Tor exit nodes with Linux and ipset
 
-This gist blocks incoming traffic from Tor exit nodes. You can also
-use it to `MARK` or redirect the incoming traffic, depending of your
-needs.
+This gist blocks incoming traffic from
+[Tor](https://www.torproject.org/) exit nodes. You can also use it to
+`MARK` or redirect the incoming traffic, depending of your needs.
 
 This guide is for IPv4 only, feel free to contribute IPv6 support if
 you have it.

diff --git a/README.md b/README.md
@@ -39,6 +39,15 @@ iptables -I INPUT 1 -j TORDROP
 
 To keep your rules after reboot, use *iptables-persistent* or similar tool.
 
+## A word about Tor
+
+The objective of this script is not to prevent Tor users from
+accessing information. My goal is minimize the attack surface to my
+services and/or marking Tor traffic to detect scamming attempts and
+so. Please don't use it to prevent information sharing and consider
+serving your content using a hidden service (onion address) in
+addition to public Internet.
+
 ## Author
 
 Joel Lehtonen. [Feel free to support me on Github](https://github.com/sponsors/zouppen).
diff --git a/README.md b/README.md
@@ -1 +1,44 @@
-# TODO
+# Block Tor exit nodes with Linux and ipset
+
+This gist blocks incoming traffic from Tor exit nodes. You can also
+use it to `MARK` or redirect the incoming traffic, depending of your
+needs.
+
+This guide is for IPv4 only, feel free to contribute IPv6 support if
+you have it.
+
+## Installing
+
+Deploy `generate_tor_exit_ipset` to `/opt` and `tor_block.service` and
+`tor_block.timer` to `/etc/systemd/system`.
+
+Create empty ipset called `tor_exit`. If you use
+*netfilter-persistent* you can add the following line to
+`/etc/iptables/ipsets`:
+
+```
+create tor_exit hash:ip family inet hashsize 1024 maxelem 65536
+```
+
+Reload systemd and then enable and start the timer:
+
+```sh
+systemctl daemon-reload
+systemctl enable tor_block.timer
+systemctl start tor_block.timer
+```
+
+Add the filter rule to your firewall, e.g. in iptables:
+
+```
+iptables -N TORDROP
+iptables -A TORDROP -m state --state RELATED,ESTABLISHED -j RETURN
+iptables -A TORDROP -m set --match-set tor_exit src -j REJECT --reject-with icmp-host-prohibited
+iptables -I INPUT 1 -j TORDROP
+```
+
+To keep your rules after reboot, use *iptables-persistent* or similar tool.
+
+## Author
+
+Joel Lehtonen. [Feel free to support me on Github](https://github.com/sponsors/zouppen).
diff --git a/generate_tor_exit_ipset b/generate_tor_exit_ipset
@@ -0,0 +1,7 @@
+#!/bin/sh -eu
+#
+# See /etc/systemd/system/tor_block.service
+
+echo flush tor_exit
+curl -sSL "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=`curl -4 ifconfig.co`" | \
+    sed -nre 's/^[0-9\.]*$/add tor_exit \0/p'
diff --git a/tor_block.service b/tor_block.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Tor exit node ipset population
+After=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart=/bin/sh -c "sudo -u nobody /opt/generate_tor_exit_ipset | ipset restore"
diff --git a/tor_block.timer b/tor_block.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Update Tor exit node list daily
+
+[Timer]
+OnUnitActiveSec=1day
+OnBootSec=0s
+
+[Install]
+WantedBy=timers.target
diff --git a/README.md b/README.md
@@ -0,0 +1 @@
+# TODO
No results found